A security researcher from Trustwave says administrators often underestimate the security risks facing JBoss servers. Armed with a new tool, he will speak at the upcoming AthCon conference about how these servers can be compromised and what your enterprise can do about it.
A researcher from Trustwave will highlight JBoss server security
at the inaugural AthCon security
In a presentation, Trustwave security consultant Christian Papathanasiou
will unveil a new tool for compromising JBoss servers and discuss best
practices for protecting JBoss servers.
"In essence no vulnerabilities are being exploited per say, [but] due to the
complexity of the JBoss
AS [application server] suite,
many admins perceive the threat to be low
and do not follow best guidance regarding securing the JMX console,"
Papathanasiou explained to eWEEK. "My talk shows that this laissez faire
attitude toward this complex product results in systems being exposed on the
Internet to compromise."
JBoss servers are often viewed as inherently secure due to the difficulty of
obtaining off-the-shelf equipment for compromising
, but JBoss' prevalence among enterprises gives attackers motive
to get to work, Trustwave contends. Attackers are already performing such
attacks; however, until recently the wider community was "blissfully unaware
that JBoss and Tomcat instances when left in their default configuration could
be compromised in such a way," Papathanasiou said.
"We developed a tool that uses default functionality provided by JBoss which
allows us to ultimately gain complete control of the machine in question,
thereby demonstrating the real necessity going forward for admins to take great
care in securing their exposed JBoss instances," he said.
Mitigating the dangers involves password-protecting the JBoss instance as
well as keeping the software up-to-date, he added.
"We must, however, be careful, as recently a [zero-day] vulnerability was
discovered by a security consultancy called Minded Security, which in essence
allows the password protection to be bypassed," the researcher said. "Therefore,
a combination of password protection and utilizing the latest releases of the JBoss
platform and preferably the enterprise release rather than the community AS
version for production environments."
The AthCon conference will be held June 3 in Athens,